Stay on target

Google takes software security very, very seriously. So seriously, in fact, that they have no problem stepping on one of their main competitors’ toes when they notice something that needs fixing.

Whose toes are getting stepped on? Microsoft’s, and they’re pretty unhappy about how things went down.

According to the latest update on Google’s security blog, they notified both Microsoft and Adobe about vulnerabilities on October 21st. The need for a fix was urgent: Google had proof that the flaws they uncovered were already being exploited in the wild.

Adobe delivered a patch for Flash in just five short days. Yes, really. They’re not the same company they used to be. They’ve made it clear time and time again that they actually give a damn about security now.

Microsoft needed a bit more time, but unfortunately, that doesn’t mesh with Project Zero’s M.O. Companies have seven days to respond to a vulnerability that’s believed to be critical (like this one was). After those seven days have passed, the discovery gets publicized in the name of transparency.

Well, transparency and leverage. It’s a good way to convince a company to deliver a patch.

Flash is not an operating system, though, and Microsoft says they needed more time. They know what’s at stake, but they also have to consider what might happen if they quickly throw together a patch and something goes wrong. They don’t want to make things worse by getting user machines stuck in a reboot loop or unleashing a flood or blue screens.

Microsoft also noted that for an attacker to be successful, both vulnerabilities had to be present on a system. If Adobe successfully delivered a patch, then, the situation might no longer be critical.

Google stuck to their guns, however, and disclosed. And this isn’t the first time they put Microsoft in this position. They had made a similar disclosure about Windows 8.1 in 2015 before Microsoft had a chance to fix it. Google decided to implement a two-week grace period after Microsoft cried foul, but there are clearly some cases where they’re not willing to be flexible.